It’s just a matter of finding the right apt-get incantations and off you go. What’s interesting is that this problem is largely solved for C and C++: Linux distributions like Debian package such a wide range of libraries that for many things that you want to develop or install, you don’t need any third-party libraries at all. Yes we would like to have super-experienced software developers reviewing all our libraries with cryptographic stamps of approval, but if they’re not available we could be the target of remote shell in a build.rs. I would love if it was the solution but it isn’t yet, and I think it’s a little ambitious. cargo-crev has been trying for years to make this happen. Now, actually getting some human review of dependency updates is quite a hard thing to do. Ideally I want someone independent of the authors playing a curatorial role. I don’t want dependencies hot off the press. So what’s the alternative? I think we all need to take a step back from the altar of developer velocity and take a deep breath. Opportunities for mischief are exacerbated when clients are phoning home so frequently. Since crates.io is the source for crates, it is normal for both developers and CI machines to be hitting this web service all the time.Any tampering with crates.io itself (espionage, disgruntlement, national security) could have an incredibly wide blast radius, or a incredibly wide set of targets from which to choose.You need only one author in your maybe-hundreds-of-dependencies tree to be hacked, coerced or in a malicious mood for you to have a really bad day. There is no mediation of any kind between when a new library/version is published and when it is consumed.Certainly some people will have vendored their deps and others will have a panamax mirror handy, but for most, Rust as we know it stops if this one particular web service goes down. It is profoundly unresilient to have a single point of failure like this. If crates.io goes down or access is otherwise disrupted then the Rust community will stop work.Rust is a lovely programming language but I’ve never quite come to terms with crates.io, or any other of these language-specific repositories where everyone uploads and downloads code willy-nilly.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |